feat: add WebAuthn/passkey SDK methods#40
Closed
lakhansamani wants to merge 2 commits into
Closed
Conversation
Wraps the 6 new webauthn_* GraphQL operations (authorizerdev/authorizer#671) and adds the browser-side ceremony glue. Raw methods: webauthnRegistrationOptions/Verify, webauthnLoginOptions/Verify, webauthnCredentials, webauthnDeleteCredential - GraphQL-only (no REST route), so these call graphqlQuery directly rather than through dispatch. High-level orchestration: registerPasskey(name?) and loginWithPasskey(email?) drive the full options -> browser API -> verify round trip in one call. src/webauthn.ts uses the browser's native PublicKeyCredential. parseCreationOptionsFromJSON / parseRequestOptionsFromJSON / credential. toJSON() rather than hand-rolled base64url<->ArrayBuffer conversion - go-webauthn's JSON wire format is the spec-defined RegistrationResponseJSON/ AuthenticationResponseJSON shape those APIs are built around, confirmed by reading the library's struct tags directly rather than assuming. isWebauthnSupported() is exported for callers to feature-detect before showing passkey UI.
registerPasskey/loginWithPasskey previously collapsed every navigator.credentials.create/get rejection (including the very common "user dismissed the passkey picker" case, a NotAllowedError) into a generic Error with only a message - no way for a caller to distinguish cancellation from a real failure the way GraphQL errors already allow via .code. wrapCeremonyError now attaches the DOMException's own standard .name (NotAllowedError, InvalidStateError, etc.) as an additive, non-enumerable .code - the same field GraphQL errors carry - so callers get one consistent way to branch on error kind rather than matching message text. Reuses the browser's own exception names instead of inventing new ones. Also fixed isWebauthnSupported to check for credential.toJSON() support, not just the two parseOptionsFromJSON statics - all three shipped together in the same WebAuthn Level 3 browser releases, but checking only two left a gap where the capability check could pass while the actual toJSON call later fails.
001697e to
be799b6
Compare
Contributor
Author
|
Rebased onto the updated #39 (non-enumerable code + shared toSDKError). Also addressed the remaining review findings for this PR: ceremony errors ( |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wraps the 6 new
webauthn_*GraphQL operations fromauthorizerdev/authorizer#671and adds browser-side ceremony glue.webauthnRegistrationOptions/Verify,webauthnLoginOptions/Verify,webauthnCredentials,webauthnDeleteCredentialregisterPasskey(name?)andloginWithPasskey(email?)drive the full options → browser API → verify round trip in one callisWebauthnSupported()exported for feature detectionDesign note
src/webauthn.tsuses the browser's nativePublicKeyCredential.parseCreationOptionsFromJSON/parseRequestOptionsFromJSON/credential.toJSON()rather than hand-rolled base64url↔ArrayBuffer conversion — confirmed by readinggo-webauthn's Go struct tags directly that its JSON wire format is exactly the spec-definedRegistrationResponseJSON/AuthenticationResponseJSONshape those browser APIs are built around.Base branch
This targets
feat/error-extensions-code(#39), notmain—webauthnLoginVerify's error handling relies onerrors[0].code, which only exists on that branch. Rebase ontomainonce #39 merges.Test plan
__test__/webauthnMethods.test.ts— 7 new unit tests (mocked fetch) covering all 6 raw methods including the email-verification-gate error codenpx jest)tsc --noEmitclean, build clean (ESM/CJS/IIFE)Browser ceremony glue (
registerPasskey/loginWithPasskey) isn't unit-testable in this Node/Jest environment (no realPublicKeyCredential) — will be exercised live inauthorizer-react's example app against a real backend next.